mirror of
https://github.com/containers/bootc.git
synced 2026-02-05 15:45:53 +01:00
6f69534f9b
Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
68 lines
2.0 KiB
Docker
68 lines
2.0 KiB
Docker
# Override via --build-arg=base=<image> to use a different base
|
|
ARG base=localhost/bootc
|
|
FROM $base AS base
|
|
|
|
FROM base as kernel
|
|
RUN <<EORUN
|
|
set -xeuo pipefail
|
|
. /usr/lib/os-release
|
|
case $ID in
|
|
centos|rhel)
|
|
dnf config-manager --set-enabled crb
|
|
# Enable EPEL for sbsigntools
|
|
dnf -y install epel-release
|
|
;;
|
|
esac
|
|
dnf -y install systemd-ukify sbsigntools
|
|
EORUN
|
|
# Must be passed
|
|
ARG COMPOSEFS_FSVERITY
|
|
RUN --network=none \
|
|
--mount=type=secret,id=secureboot_key \
|
|
--mount=type=secret,id=secureboot_cert \
|
|
--mount=type=bind,from=base,target=/target \
|
|
<<EOF
|
|
set -xeuo pipefail
|
|
|
|
# Should be generated externally
|
|
test -n "${COMPOSEFS_FSVERITY}"
|
|
|
|
cmdline="composefs=${COMPOSEFS_FSVERITY} console=ttyS0,115200n8 console=hvc0 enforcing=0 rw"
|
|
|
|
# Use sbsign to re-sign the entire UKI with our key
|
|
kver=$(cd /target/usr/lib/modules && echo *)
|
|
ukify build \
|
|
--linux "/target/usr/lib/modules/$kver/vmlinuz" \
|
|
--initrd "/target/usr/lib/modules/$kver/initramfs.img" \
|
|
--uname="${kver}" \
|
|
--cmdline "${cmdline}" \
|
|
--os-release "@/target/usr/lib/os-release" \
|
|
--signtool sbsign \
|
|
--secureboot-private-key "/run/secrets/secureboot_key" \
|
|
--secureboot-certificate "/run/secrets/secureboot_cert" \
|
|
--measure \
|
|
--json pretty \
|
|
--output "/boot/$kver.efi"
|
|
EOF
|
|
|
|
FROM base as final
|
|
RUN --network=none --mount=type=bind,from=kernel,target=/run/kernel <<EOF
|
|
set -xeuo pipefail
|
|
kver=$(cd /usr/lib/modules && echo *)
|
|
mkdir -p /boot/EFI/Linux
|
|
# We put the UKI in /boot for now due to composefs verity not being the
|
|
# same due to mtime of /usr/lib/modules being changed
|
|
target=/boot/EFI/Linux/$kver.efi
|
|
cp /run/kernel/boot/$kver.efi $target
|
|
# And remove the defaults
|
|
rm -v /usr/lib/modules/${kver}/{vmlinuz,initramfs.img}
|
|
# Symlink into the /usr/lib/modules location
|
|
ln -sr $target /usr/lib/modules/${kver}/$(basename $kver.efi)
|
|
bootc container lint --fatal-warnings
|
|
EOF
|
|
|
|
FROM base as final-final
|
|
COPY --from=final /boot /boot
|
|
# Override the default
|
|
LABEL containers.bootc=sealed
|